topic Re: concatene 2 similar search in Splunk Search

concatene 2 similar search

jip31 — Fri, 27 Jul 2018 07:15:34 GMT

i try to concatene 2 similar query

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
| stats first(data) as PatchLevel by host
]


| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 

| stats first(data) as WindowsVersion by host
]

i m doing something like this but it doesnt works

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
OR
key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
|stats first(data) as PatchLevel by host, first(data) as WindowsVersion by host]

Re: concatene 2 similar search

Shan — Fri, 27 Jul 2018 07:26:07 GMT

@jip31,

Try something like this ..

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\airbus\\master\\WindowsVersion" 
 |stats first(data) as PatchLevel , first(data) as WindowsVersion by host,data]

Re: concatene 2 similar search

jip31 — Fri, 27 Jul 2018 08:10:00 GMT

it doesnt works

Re: concatene 2 similar search

jip31 — Fri, 27 Jul 2018 08:11:17 GMT

please modify the key like in your answer :
\registry\machine\software\wow6432node\*XX*\master\PatchLevel"

Re: concatene 2 similar search

jip31 — Thu, 02 Aug 2018 05:20:51 GMT

hello
nobody for helping me please??

Re: concatene 2 similar search

jip31 — Thu, 02 Aug 2018 06:02:32 GMT

something like this??

join type=outer host [append [search earliest=-120d index=windows sourcetype=winregistry 
key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\PatchLevel" 
 OR   key_path="\\registry\\machine\\software\\wow6432node\\xx\\master\\WindowsVersion" 
  |stats first(data) as PatchLevel , first(data) as WindowsVersion by host,data

Re: concatene 2 similar search

jip31 — Thu, 02 Aug 2018 17:04:55 GMT

In fact my main question is To know how to use append with a jointure field (host in my example)?

Re: concatene 2 similar search

somesoni2 — Thu, 02 Aug 2018 17:29:32 GMT

Try like this

| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry 
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\PatchLevel" 
 OR
 key_path="\\registry\\machine\\software\\wow6432node\\XX\\master\\WindowsVersion" 
 | rex field=key_path "(?<type>\w+)$" | chart first(data) by host type]

Re: concatene 2 similar search

jip31 — Tue, 29 Sep 2020 20:43:30 GMT

Hi and thanks
it works for these 2 key path
BUT
I need to add o ne key and i done this
| join type=outer host [search earliest=-120d index=windows sourcetype=winregistry
key_path="\registry\machine\software\wow6432node\xx\master\PatchLevel"
OR
key_path="\registry\machine\software\wow6432node\xx\master\WindowsVersion"
OR
key_path="\registry\machine\software\microsoft\windows nt\currentversion\ReleaseId"
| rex field=key_path "(?\w+)$" | chart first(data) by host type]

But i have no data for ReleaseID
Other questions :
what is the reason why you user "rex" and "chart"?
thanks

Re: concatene 2 similar search

jip31 — Sun, 05 Aug 2018 08:39:57 GMT

oh i found for the 3 key 😉
so just tell me please what is the reason why you user "rex" and "chart"?
thanks